BYOD? I’m a small business – why should I care?

SME guide to consumerisation and BYOD

Mobilk - Everybody’s talking about the consumerisation of IT and BYOD, but why should it affect you and what are the security risks? This short, easy-to-digest guide is designed to give you all the info you need to make an informed decision about what to do next.

The workplace is changing fast. Driven by evolving expectations and a revolution in consumer technologies, staff today expect to be able to use the same smartphone, tablet, email account or social networking feed they use at home, in the office. While that can bring huge productivity benefits, some cost savings and generally make your staff happier, it must be managed correctly to avoid any security failings.

BYOD

We’re undergoing a mobile revolution. More smartphones were shipped globally than PCs in Q4 2011 (Canalys), and Android and iOS are the clear leading platforms. Their combined share of the market rose from 54 per cent in Q1 2011 to a whopping 82 per cent at the start of 2012, with Android out in front with a 59 per cent share versus iOS 23 per cent. Unfortunately, though, these platforms are not designed to protect your data in the same way the trusty old BlackBerry is.

The risks:

•A comprehensive new Trend Micro report analysed all the major mobile platforms and gave them an average score according to 12 attributes. BlackBerry was the clear leader with 2.89, then came iOS5 (1.7 per cent), Windows Phone 7.5 (1.61 per cent) and finally Android v2.3 (1.37 per cent).

•The main risks to smartphones and tablets come from downloading malware hidden in legitimate apps. This is a smaller risk for iOS users because all apps are vetted strictly before being allowed in the App Store, but much bigger for Android because it is a more open system.

•There’s also a risk that a user could click on a malicious link, or open a malicious attachment on their mobile and, because they’re not protected, get infected.

As in the PC world, malware is created to steal valuable information, turn the device into part of a botnet or make money for the criminal in other ways, such as by calling premium rate numbers.

If you have staff devices connecting to the network; it’s worth creating a simple policy for users to safeguard your corporate data.

This policy could include the following:

•Use a PIN/password/fingerprint scan to lock the device in order to protect data in the event of it being stolen

•Don’t download any un-sanctioned apps; or visit any un-official / third party app stores

•Don’t jailbreak/root your phone as this can further expose it to secure risks

•Avoid free, unsecured Wi-Fi access when out and about

To help enforce this policy, consider:

•Security software for the device, ideally one which will allow you to manage all the devices in your company

•Mobile device management software that can also help enhance the security further e.g. remote wiping a device if it is lost or stolen or enforcing encryption.

Online data sync and access

It’s not all about protecting the mobile. Cloud-based, Dropbox-style solutions are increasingly popular ways for users to share information with colleagues, collaborate on projects and even back-up data online, but there are risks involved. If your employees are using consumer accounts in a very ad hoc way then they will be able to take that account – and potentially your IP – with them when they leave. It is also hard to understand and more importantly control who is sharing data externally and with whom.

It is therefore worth investing in a solution with the following features:

•Designed for business users, so that you can manage all accounts centrally and keep control when staff leaves the company.

•Expiry dates or passwords can be set on sharing links so that the company data being connected to in the cloud will be protected in the event that the links get into the wrong hands.

•Offer cloud based sharing folders for simple and controlled collaboration for teams and projects

•Encryption on all data at rest in the provider’s datacentre

•Offers SLAs to guard against down-time etc

Social networking, webmail, VoIP etc

Social networking has become a part of our everyday lives, and employees are not only demanding to be able to use personal accounts at work, these channels can be used effectively in an official B2C capacity to engage with customers. Similarly, web mail, VoIP and other online communication technologies are now used in the workplace as they are highly intuitive and user-friendly.

Predictably, where people go, criminals soon follow and these services can also offer an effective channel via which to attack your machines; whether by brute force attacks designed to crack account log-ins, or infection via malicious links or attachments.

•Ensure corporate accounts are locked with strong passwords and don’t share log-ins between different accounts.

•Draw up an acceptable use policy for social networking

•Ensure your corporate desktop security has the capability to scan for malicious links and attachments – cloud based systems are best as they block any malware before it can reach the network

It might seem like a daunting task trying to mitigate all the risks mentioned here, but banning the use of consumer hardware and online services in the office is not going to work. You should take advantage of the benefits they bring to your business, but only say yes to the ones you can manage and secure satisfactorily.

Remember, cyber criminals these days are a well-resourced, well-trained bunch who will go for the biggest platforms and the easiest targets in order to get hold of your data and make a profit. So make sure your business isn’t caught napping.